On Fri, Aug 13, 2021 at 9:42 PM Mark Reynolds <[email protected]> wrote:
> > On 8/13/21 2:40 PM, Michael Starling wrote: > > > > ------------------------------ > *From:* Michael Starling <[email protected]> > <[email protected]> > *Sent:* Friday, August 13, 2021 10:41 AM > *To:* Mark Reynolds <[email protected]> <[email protected]>; > General discussion list for the 389 Directory server project. > <[email protected]> <[email protected]> > *Subject:* Re: [389-users] How to replicate password lockout attributes > from a consumer or hub to a master(s) > > > > ------------------------------ > *From:* Michael Starling <[email protected]> > <[email protected]> > *Sent:* Thursday, August 12, 2021 3:29 PM > *To:* Mark Reynolds <[email protected]> <[email protected]>; > General discussion list for the 389 Directory server project. > <[email protected]> <[email protected]> > *Subject:* Re: [389-users] How to replicate password lockout attributes > from a consumer or hub to a master(s) > > > > ------------------------------ > *From:* Mark Reynolds <[email protected]> <[email protected]> > *Sent:* Thursday, August 12, 2021 3:16 PM > *To:* Michael Starling <[email protected]> > <[email protected]>; General discussion list for the 389 Directory > server project. <[email protected]> > <[email protected]> > *Subject:* Re: [389-users] How to replicate password lockout attributes > from a consumer or hub to a master(s) > > > > On 8/12/21 2:33 PM, Michael Starling wrote: > > > > ------------------------------ > *From:* Mark Reynolds <[email protected]> <[email protected]> > *Sent:* Thursday, August 12, 2021 11:48 AM > *To:* General discussion list for the 389 Directory server project. > <[email protected]> <[email protected]>; > Michael Starling <[email protected]> <[email protected]> > *Subject:* Re: [389-users] How to replicate password lockout attributes > from a consumer or hub to a master(s) > > > > On 8/12/21 10:53 AM, Michael Starling wrote: > > Hello. > > I've taken over a large 389-ds environment running on Oracle Linux 8 and > the first task I need to complete is to enable password lockouts. > > > > I was able to enable password lockouts successfully however it only works > if the client is pointed directly to a master. The account locks out and > the attributes are propagated down to the hubs and consumers. > > If the client is pointed to a read-only hub or consumer then the account > does not lockout and the password attributes do not propagate back to the > masters. > > *passwordIsGlobalPolicy*: on is set on all masters, hubs and consumers > > Password policy attributes I expect to replicate: > > *passwordRetryCount* > *accountUnlockTime* > *retryCountResetTime* > > I've tried following the chaining guide below which I think is what I need > to do to get this work as expected, however I've hit a snag. > > > https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html > 389 Directory Server - Howto:ChainOnUpdate > <https://directory.fedoraproject.org/docs/389ds/howto/howto-chainonupdate.html> > Introduction. The usual deployment for a large replication topology will > have the client applications reading from hubs or dedicated consumers in > order to spread out the load and off-load search request processing from > the masters. > directory.fedoraproject.org > The document states the backend must be added to the hub or consumer, > however when I try and add the following LDIF to the hub I get the > "unwilling to perform" error. > > This makes sense because the hub is read-only so I'm confused as how I can > update the config on a read-only hub or consumer? > > Hi Michael, To complete Mark's answer and try to solve your confusion: hub and consumer are read-only replicas (i.e backends) cn=config is another backend that is still writable. So you should not be able to modify the entries in the replicated suffix ( and should instead get referrals towards the master(s)) but you should still be able to modify the config. Regards, Pierre > dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsBackendInstance > cn: chainlab > nsslapd-suffix: dc=domain,dc=com > nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 > ldap://dsa3.domain.com:389 > nsmultiplexorbinddn: uid=repluser,cn=config > nsmultiplexorcredentials: mypassword > nsCheckLocalACI: on > > adding new entry "cn=chainlab,cn=chaining database,cn=plugins,cn=config" > ldap_add: Server is unwilling to perform (53) > > This is the doc you want to follow to get this working. But it is > complicated... > > > In this case I'm not sure why the error 53 is being returned. There is > something about that entry it does not like. So please check the access > and errors log from the time of this failure (see > /var/log/dirsrv/slapd-YOUR_INSTANCE/). There is usually more info logged > when an error 53 happens. > > > Also what version of 389-ds-base are you running? > > > Thanks, > Mark > > Hub or Consumer > > Step 1 (Hub and Consumer): the chaining backend must be created on the hub > and consumer: > > dn: cn=chainbe1,cn=chaining database,cn=plugins,cn=config > objectclass: top > objectclass: extensibleObject > objectclass: nsBackendInstance > cn: chainbe1 > nsslapd-suffix: <suffix to replicate> > nsfarmserverurl: ldap://supplier1:port supplier2:port ... supplierN:port/ # > also, ldaps can be used instead > # > of ldap for secure connections - > # > requires the secure port > nsmultiplexorbinddn: cn=Replication Manager,cn=config # or whatever the > replica bind DN is on the supplier > nsmultiplexorcredentials: password > nsCheckLocalACI: on > > > Any help would be greatly appreciated. > > Thanks > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > -- > Directory Server Development Team > > Thanks for getting me the right track Mark. Looks like the "nsFarmServerURL" > is not correct. > > Versions: > 389-ds-base-libs-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64 > 389-ds-base-1.4.3.17-1.module_el8+10764+2b5f8656.x86_64 > > I thought I was maybe hitting the bug described below so I added a trailing > "/" but the issue persists. > https://bugzilla.redhat.com/show_bug.cgi?id=1363970 > > nsfarmserverurl: ldap://dsa1.domain.com:389 ldap://dsa2.domain.com:389 > ldap://dsa3.domain.com:389*/* > > This is what I see in the logs on the hub when trying to add the LDIF. > > The idea is for the hub to send these password attributes back to all masters. > > These are the masters in the environment. > ldap://dsa1.domain.com:389 > ldap://dsa2.domain.com:389 > ldap://dsa3.domain.com:389 > [12/Aug/2021:14:12:38.228746875 -0400] - ERR - chaining database - > cb_instance_config_initialize - *Error with config attribute nsfarmserverurl > : not a valid LDAP URL* > [12/Aug/2021:14:12:38.230107318 -0400] - ERR - chaining database - > cb_instance_add_config_check_callback - Can't instantiate chaining backend > instance chainlab. > [12/Aug/2021:14:13:11.436433137 -0400] - ERR - chaining database - > cb_instance_config_initialize - Error with config attribute nsfarmserverurl : > not a valid LDAP URL > [12/Aug/2021:14:13:11.437510161 -0400] - ERR - chaining database - > cb_instance_add_config_check_callback - Can't instantiate chaining backend > instance chainlab. > [12/Aug/2021:14:15:15.652343542 -0400] - ERR - chaining database - > cb_instance_config_initialize - Error with config attribute nsfarmserverurl : > not a valid LDAP URL > [12/Aug/2021:14:15:15.653524818 -0400] - ERR - chaining database - > cb_instance_add_config_check_callback - Can't instantiate chaining backend > instance chainlab. > [12/Aug/2021:14:20:12.212414022 -0400] - ERR - chaining database - > cb_instance_config_initialize - Error with config attribute nsfarmserverurl : > not a valid LDAP URL > [12/Aug/2021:14:20:12.213556900 -0400] - ERR - chaining database - > cb_instance_add_config_check_callback - Can't instantiate chaining backend > instance chainlab > > Ok, I think its not liking the multiple values in the attribute, even > though the document says you have multiple urls. I think you need to add > the config like this: > > > nsfarmserverurl: ldap://dsa1.domain.com:389 > > nsfarmserverurl: ldap://dsa2.domain.com:389 > > nsfarmserverurl: ldap://dsa3.domain.com:389 > > > Give it a try? > > > HTH, > > Mark > > > -- > Directory Server Development Team > > Looks like it only added the first entry. Do I need to add an entry for each > MAster? > > dn: cn=chainlab,cn=chaining database,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > objectClass: nsBackendInstance > cn: chainlab > nsslapd-suffix: dc=domain,dc=com > *nsfarmserverurl: ldap://dsa1.domain.com:389* > nsmultiplexorbinddn: uid=replicator,cn=config > nsmultiplexorcredentials: > {AES-TUhNR0NTcUdTSWIzRFFFRkRUQm1NRVVHQ1NxR1NJYjNEUUVGRERBNEJDUm1aRFUwT1dOak5DMDVPVFl5TXpJMg0KWlMwNE16ZzFNVFl3TXkweU5tVTROekJtWkFBQ0FRSUNBU0F3Q2dZSUtvWklodmNOQWdjd0hRWUpZSVpJQVdVRA0KQkFFcUJCQTdhVjl4Z0NZcFkzR21YV2x0c293Mg==}u4FHsJF3AVHAqgtGCMXudA== > nsbindconnectionslimit: 3 > nsoperationconnectionslimit: 20 > nsabandonedsearchcheckinterval: 1 > nsconcurrentbindlimit: 10 > nsconcurrentoperationslimit: 2 > nsproxiedauthorization: on > nsconnectionlife: 0 > nsbindtimeout: 15 > nsreferralonscopedsearch: off > nschecklocalaci: on > nsbindretrylimit: 3 > nsslapd-sizelimit: 2000 > nsslapd-timelimit: 3600 > nshoplimit: 10 > nsmaxresponsedelay: 60 > nsmaxtestresponsedelay: 15 > nsusestarttls: off > > Hi Mark. > > I tried adding the subsequent URL's and it doesn't allow multiple entries for > this attribute. > > It appears all the URLS need to be part of the one *nsfarmserverurl* > attribute*.* > > *ldap_initialize( ldap://dsa4.domain.com )* > *add nsFarmServerURL: ldap://dsa2.domain.com:389modifying entry > "cn=chainlab,cn=chaining database,cn=plugins,cn=config"ldap_modify: Server is > unwilling to perform (53)** additional info: Adding attributes is not > allowed* > > *I believe I have this working now.* > > *Thank you Mark for getting me pointed in the right direction.* > > Were you able to set multiple urls? Or did you just go with one for now? > > > Mark > > -- > Directory Server Development Team > > _______________________________________________ > 389-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- -- 389 Directory Server Development Team
_______________________________________________ 389-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
